Description
An out-of-bounds write vulnerability was found in GStreamer's H.266/VVC PPS picture partition parser in gst-plugins-bad. In the multi-slice-in-tile processing of gst_h266_parser_parse_picture_partition() (gsth266parser.c), the loop iterates without checking that the slice index stays within bounds, writing past three fixed-size arrays (slice_height_in_ctus, slice_top_left_ctu_x, slice_top_left_ctu_y) in the GstH266PPS structure. While the initial proof-of-concept demonstrated a 4-byte out-of-bounds write, the code permits larger writes across multiple iterations. A crafted H.266/VVC media file can trigger this vulnerability.
Published: 2026-06-11
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An out‑of‑bounds write exists in GStreamer’s H.266/VVC PPS picture partition parser within the gst-plugins‑bad component. The parser loop fails to check that the slice index stays within bounds of three fixed‑size arrays, allowing a crafted media file to write beyond these buffers. This can corrupt memory or cause a crash, but the CVE description does not confirm arbitrary code execution.

Affected Systems

Red Hat Enterprise Linux distributions 7 through 10 that ship the gst‑plugins‑bad package are affected. The vulnerability resides in the GStreamer library bundled with these releases; all supported variants that include the unpatched plugin are considered vulnerable.

Risk and Exploitability

The CVSS score of 6.5 indicates medium severity, and the vulnerability is not listed in CISA’s KEV catalog. EPSS information is unavailable, so the exploitation probability is unknown. The likely attack vector is the provision of a malicious H.266/VVC media file to an application that processes content using GStreamer, such as media playback or batch encoding.

Generated by OpenCVE AI on June 11, 2026 at 23:22 UTC.

Remediation

Vendor Workaround

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

OpenCVE Recommended Actions

  • Apply the Red Hat security update that contains the patched gst‑plugins‑bad once it is released.
  • Until the patch is available, restrict the processing of H.266/VVC media to trusted sources or run GStreamer‑based pipelines in a sandboxed or containerized environment with no privileged access.
  • If possible, disable H.266/VVC support in the application configuration to avoid the vulnerable parser until a fix is applied.

Generated by OpenCVE AI on June 11, 2026 at 23:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Thu, 11 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 11 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Description An out-of-bounds write vulnerability was found in GStreamer's H.266/VVC PPS picture partition parser in gst-plugins-bad. In the multi-slice-in-tile processing of gst_h266_parser_parse_picture_partition() (gsth266parser.c), the loop iterates without checking that the slice index stays within bounds, writing past three fixed-size arrays (slice_height_in_ctus, slice_top_left_ctu_x, slice_top_left_ctu_y) in the GstH266PPS structure. While the initial proof-of-concept demonstrated a 4-byte out-of-bounds write, the code permits larger writes across multiple iterations. A crafted H.266/VVC media file can trigger this vulnerability.
Title Gstreamer1-plugins-bad-free: gstreamer: out-of-bounds write in h.266/vvc pps picture partition parser
First Time appeared Redhat
Redhat enterprise Linux
Weaknesses CWE-787
CPEs cpe:/o:redhat:enterprise_linux:10
cpe:/o:redhat:enterprise_linux:7
cpe:/o:redhat:enterprise_linux:8
cpe:/o:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat enterprise Linux
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

Subscriptions

Redhat Enterprise Linux
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-06-11T19:12:24.288Z

Reserved: 2026-06-10T15:40:26.501Z

Link: CVE-2026-53701

cve-icon Vulnrichment

Updated: 2026-06-11T19:12:15.482Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-11T19:16:47.913

Modified: 2026-06-11T20:56:29.653

Link: CVE-2026-53701

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-10T00:00:00Z

Links: CVE-2026-53701 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T23:30:05Z

Weaknesses